"Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities"
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take? Note: I have Toshiba laptop, FC4, Gnome and Thunderbird. The only programs I know are Clamav and Spamassassin. Is it enough? Although I know FC4 has SELinux. Best regards, Joao.
Joao Paulo Pires wrote:
'Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities'
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take?
You already took a good action, which is to align yourself with the excellent security response behaviour of Redhat. The #1 action to take is to keep bang up to date with updates:
# chkconfig yum on # service yum start
Make sure you have your local firewall up (system-config-securitylevel) and pierce only the ports that have to be externally accessible.
No firewalls will save you if you serve insecure PHP (but selinux might help) or install .tar.gz software from evil or perverted sources (nothing would help). Try to stick to RPMs from repos in yum, then you stand a chance to get security updates.
There is no absolute certainty, there have been attempts to poision the kernel and other software sources secretly with backdoors, you cannot prove the negative that there was no successful unknown attack that is present on the FC4 install media.
However you are already ten times safer than your neighbour running Windows :-) Attacks tend to concentrate on the easiest targets, and you aren't that simply by running Fedora.
-Andy
On Fri, 2005-11-25 at 14:48 +0000, Joao Paulo Pires wrote:
'Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities'
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take? Note: I have Toshiba laptop, FC4, Gnome and Thunderbird. The only programs I know are Clamav and Spamassassin. Is it enough? Although I know FC4 has SELinux. Best regards, Joao.
Joao, there are certain probabilities of viruses and malwares. True. Last one I heard, days ago, the lupper/luppi: http://www.viruslist.com/en/weblog?weblogid=173665327
I didnt paid so much attention, cause I understand any application which runs with root or high level privileges could gain access to the entire system. So, if that application has a security hole, it could be exploited.
These are the actions you must take
- Understand the next points as habits, not as simple actions.
- Have updated systems! update your system daily. Yum must program your yum or apt updates to run at least daily.
- Be informed with a quick tool, as an RSS reader. I use liferea.
- Be aware of the distro. The distribution comes with a set of tested packages. if one package is found to be a risk, the distro makers generate patched versions quickly. If you install a (non-distro) package and run it as root, is your responsability. Try avoiding weird packages, even more if your system is a server. I like Fedora and Debian, but thats only my personal approach, YMMV.
- Theoretically, SELinux cares about exactly this kind of security (a package which asks to run as a high level user is intended to do only what it is meant for, and access only its needed files), and you must install it, knowing some services need additional configuration work. I wrote teoretically, cause I didnt see SELinux in action. Any comments?
- Additionally, you can install tools as rkhunter, http://www.rootkit.nl/
Clamav seeks mainly mail viruses, afaik. Spamassassin avoids spam, which is not precisely a linux threat, but a mail problem.
I expect comments, please. Thanks!
-- Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo Netzmanager Padep, GTZ 591-70656800, -22417628, LA PAZ, BOLIVIA http://otbits.blogspot.com -- A good speech is like a good dress that's short enough to be interesting and long enough to cover the subject
Rodolfo Alcazar wrote:
On Fri, 2005-11-25 at 14:48 +0000, Joao Paulo Pires wrote:
'Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities'
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take? Note: I have Toshiba laptop, FC4, Gnome and Thunderbird. The only programs I know are Clamav and Spamassassin. Is it enough? Although I know FC4 has SELinux. Best regards, Joao.
Windows viruses depend on a large number of users all using the same broken software. If you step outside the norm, even on Windows, you reduce the likelihood of infection enormously. Use the Mozilla suite instead of Internet Exploder and Lookout (Express), and viruses relying on the vulnerabilities in MS malware.
In Linux, you don't a) Have the numbers (as a proportion of all Intentet users) b) Have a large proportion all using the same software.
If you check email headers, you will see people here using kmail, mozilla, tbird, evolution, mutt, pine and probably others, and a few using Windoes and OS X clients.
The likelihood of someone writing a single virus attacking more than one (counting Mozilla ant tbird as one) _and_ getting it to spread is fairly small.
Years ago (I was using the then recent RHL 7.3) , Kaspersky released a virus scanner client for Linux. I pressed them for a catalogue of known Linux viruses. They came up with a list of five, some of which I'd heard. At least one was a worm (doesn't spread in email), one was maybe a problem in RHL 6.2.
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
I'm on a list where folk discuss Linux on IBM zSeries. These are serious folks running serious computer systems supporting serious businesses. Businesses such as Boeing, Wells Fargo, EDS, Citygroup, Bank of America. Where people here sometimes think about running a virtual computer, lotsa those folks run 100 or so in a real box: one maniac became infamous a few years ago by running 40,000 or so of them. Lots run virtual networks (and worry about security between them).
These folk don't apply every patch as it arrives, they look at it, see what it fixes, evaluate how it applies to them, the risk of not applying it, the risk of applying it and probably don't apply it until next patch day. Which might be the next refresh of Nahant.
In my case, I only look after little systems and I do update regularly, and I do download updates automatically, but I always update manually, after seeing what's affected. That way, if something breaks as a result, I will know that something changed.
If you run yum daily to keep the system up2date and something breaks, you will have no idea whether something changed, what changed or when. That's a pretty serious matter if your business depends on it, if you have a dozen or a hundred staff sitting round talking coz the server's down again, if you're filing client's email as spam or turning them away because your website's down. Again.
2005/11/26, John Summerfied debian@herakles.homelinux.org:
Rodolfo Alcazar wrote:
On Fri, 2005-11-25 at 14:48 +0000, Joao Paulo Pires wrote:
'Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities'
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take? Note: I have Toshiba laptop, FC4, Gnome and Thunderbird. The only programs I know are Clamav and Spamassassin. Is it enough? Although I know FC4 has SELinux. Best regards, Joao.
Windows viruses depend on a large number of users all using the same broken software. If you step outside the norm, even on Windows, you reduce the likelihood of infection enormously. Use the Mozilla suite instead of Internet Exploder and Lookout (Express), and viruses relying on the vulnerabilities in MS malware.
In Linux, you don't a) Have the numbers (as a proportion of all Intentet users) b) Have a large proportion all using the same software.
If you check email headers, you will see people here using kmail, mozilla, tbird, evolution, mutt, pine and probably others, and a few using Windoes and OS X clients.
The likelihood of someone writing a single virus attacking more than one (counting Mozilla ant tbird as one) _and_ getting it to spread is fairly small.
Years ago (I was using the then recent RHL 7.3) , Kaspersky released a virus scanner client for Linux. I pressed them for a catalogue of known Linux viruses. They came up with a list of five, some of which I'd heard. At least one was a worm (doesn't spread in email), one was maybe a problem in RHL 6.2.
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
no its not. if thats your policy fine. it shouldnt be an end users policy though.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
end users have no clue and thus cant select what they need. actually with only backported fixes nothing should break with tested updates.
I'm on a list where folk discuss Linux on IBM zSeries. These are serious folks running serious computer systems supporting serious businesses. Businesses such as Boeing, Wells Fargo, EDS, Citygroup, Bank of America. Where people here sometimes think about running a virtual computer, lotsa those folks run 100 or so in a real box: one maniac became infamous a few years ago by running 40,000 or so of them. Lots run virtual networks (and worry about security between them).
These folk don't apply every patch as it arrives, they look at it, see what it fixes, evaluate how it applies to them, the risk of not applying it, the risk of applying it and probably don't apply it until next patch day. Which might be the next refresh of Nahant.
In my case, I only look after little systems and I do update regularly, and I do download updates automatically, but I always update manually, after seeing what's affected. That way, if something breaks as a result, I will know that something changed.
i do the same on rawhide... actually not necassery though on a fc release with only the default repos enabled.
If you run yum daily to keep the system up2date and something breaks, you will have no idea whether something changed, what changed or when. That's a pretty serious matter if your business depends on it, if you have a dozen or a hundred staff sitting round talking coz the server's down again, if you're filing client's email as spam or turning them away because your website's down. Again.
unless you log.. servers should be maintained by professionals actually, those know how to log changes to the system, its possible and should also have a test system ready to test updates as they come... guess what the updates-testing repo is for.
--
Cheers John
-- spambait 1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Rudolf Kastl wrote:
The likelihood of someone writing a single virus attacking more than one (counting Mozilla ant tbird as one) _and_ getting it to spread is fairly small.
Years ago (I was using the then recent RHL 7.3) , Kaspersky released a virus scanner client for Linux. I pressed them for a catalogue of known Linux viruses. They came up with a list of five, some of which I'd heard. At least one was a worm (doesn't spread in email), one was maybe a problem in RHL 6.2.
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
no its not. if thats your policy fine. it shouldnt be an end users policy though.
Justify yourr assertion: I gave reasons for mine.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
end users have no clue and thus cant select what they need. actually with only backported fixes nothing should break with tested updates.
If users want that kind of support they better pay for it. Fedora Core 3 did in fact break just as I said, with USB not working, at least on certain laptops.
On Mon, 2005-11-28 at 21:18 +0800, John Summerfied wrote:
Rudolf Kastl wrote:
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
no its not. if thats your policy fine. it shouldnt be an end users policy though.
Justify yourr assertion: I gave reasons for mine.
- Checking every update (extensely as you require) implies a really high cost, a lot of resources. If you can afford that, really its fine for you, but a common enterprise cant.
- Server-side applications are highly mature.
- Fedora (and debian in my case) releases high-tested new versions you can trust on. And consider Fedora have a bleeding edge-releasing philosophy. Debian is more conservative.
- Any failing update can be reversed. I had this case only once since september 2003, with 5 fedora servers. The downtime was about 1 hr and was caused by perl on squirrelmail. I waited til next perl version and all worked fine. Important: store past rpm and apt files.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
Thats highly subjective ("nothing surer"???). Gnome applications has the higher fail-task (i think), and I apply updates daily on my local PC. Works really fine since a year ago. Couple of years ago, some apps, including evolution failed occassionally, but now thats history.
end users have no clue and thus cant select what they need. actually with only backported fixes nothing should break with tested updates.
If users want that kind of support they better pay for it. Fedora Core 3 did in fact break just as I said, with USB not working, at least on certain laptops.
Cheers!
-- Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo Netzmanager Padep, GTZ 591-70656800, -22417628, LA PAZ, BOLIVIA http://otbits.blogspot.com -- When you finally buy enough memory, you will not have enough disk space.
On Sat, 2005-11-26 at 07:47 +0800, John Summerfied wrote:
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
Applying security fixes as they are released is part of securing a system sensibly.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
Doing anything blindly is not a good approach. However, I have yet to break a system by following this rule:
* On servers, which have a minimal set of packages installed (my servers are usually single-trick ponies), I run automatic updates. * On workstations (with loads of multimedia, end-user, and whatnot applications) I run yum daily to check for updates and then apply them manually after assessing the risk that mplayer might stop working, or something.
That said, I wish the yum metadata would contain information pointing out security related updates. One could then go and just apply security fixes and their dependencies.
If you run yum daily to keep the system up2date and something breaks, you will have no idea whether something changed, what changed or when.
Not true, /var/log/yum.log.
Cheers Steffen.
On Tue, Nov 29, 2005 at 10:59:24AM +1100, Steffen Kluge wrote:
That said, I wish the yum metadata would contain information pointing out security related updates. One could then go and just apply security fixes and their dependencies.
This is actually in the works right now, from some posts I saw on the yum list.
If you run yum daily to keep the system up2date and something breaks, you will have no idea whether something changed, what changed or when.
Not true, /var/log/yum.log.
Plus, y'know: make your nightly yum script e-mail you the results.
Matthew Miller mattdm@mattdm.org writes:
Plus, y'know: make your nightly yum script e-mail you the results.
This already happens with the FC4 Logwatch. I get nightly Logwatch emails to the root account, and in it is a section listing yum updates performed since the last Logwatch mail.
Regards Ingemar
Steffen Kluge wrote:
On Sat, 2005-11-26 at 07:47 +0800, John Summerfied wrote:
That is plain stupidity. It is worse than securing your system sensibly and applying _no_ updates.
Applying security fixes as they are released is part of securing a system sensibly.
Look at what they fix; not all security updates, even when they hit packages on one of my systems, matter.
If you blindly apply updates as they appear, you will get a broken system, nothing surer.
Doing anything blindly is not a good approach. However, I have yet to break a system by following this rule:
* On servers, which have a minimal set of packages installed (my servers are usually single-trick ponies), I run automatic updates. * On workstations (with loads of multimedia, end-user, and whatnot applications) I run yum daily to check for updates and then apply them manually after assessing the risk that mplayer might stop working, or something.
However, your chances of breaking a system are quite good.
FC5 beta 1 installed a kernel on my laptop that does not boot. While this is a beta and all bets are off, it's perfectly possible that the same thing could happen in released versions of Fedora Core. Fedora Core 3 has had several new upsream kernel releases, and KDE has been upgraded from 3.3 to 3.4.
3.4 reliably SYSSEGVs on me on two platforms; I've probably not exercised the right circumstances on FC to find whether we have the problem too.
That said, I wish the yum metadata would contain information pointing out security related updates. One could then go and just apply security fixes and their dependencies.
If you run yum daily to keep the system up2date and something breaks, you will have no idea whether something changed, what changed or when.
Not true, /var/log/yum.log.
It is very hard to read that when your system won't boot. That aside, users' most likely reaction when something breaks and they're asked, "What changed?" is, "I didn't change anything."
Even mailing the log won't happen if it's your mail server that's down.
On Tue, 2005-11-29 at 13:48 +0800, John Summerfied wrote:
FC5 beta 1 installed a kernel on my laptop that does not boot. While this is a beta and all bets are off, it's perfectly possible that the same thing could happen in released versions of Fedora Core.
The installer routine of kernel RPMs always inserts new kernels at position 0 into grub.conf. It won't change the number of the default kernel, though. I always have my current kernel in a position other than 0. That way, I'm never booting a new kernel by default. I try a new kernel when I have time to deal with issues and then make it the default.
Cheers Steffen.
Steffen Kluge wrote:
On Tue, 2005-11-29 at 13:48 +0800, John Summerfied wrote:
FC5 beta 1 installed a kernel on my laptop that does not boot. While this is a beta and all bets are off, it's perfectly possible that the same thing could happen in released versions of Fedora Core.
The installer routine of kernel RPMs always inserts new kernels at position 0 into grub.conf. It won't change the number of the default kernel, though. I always have my current kernel in a position other than 0. That way, I'm never booting a new kernel by default. I try a new kernel when I have time to deal with issues and then make it the default.
If you're booting number 1 and insert a new number 0, then what happens?
The old number 1 becomes 2, the old 0 is the new 1.
Isn't somthing broken here?
That aside, I think Fedora changes to boot the new kernel regardless of what you do in menu,lst. Unless you fiddle in /etc/sysconfig/kernel, and Steffen wouldn't be alone in overlooking that.
If not Fedora, then EL.
On Wed, 2005-11-30 at 10:27 +0800, John Summerfied wrote:
If you're booting number 1 and insert a new number 0, then what happens? The old number 1 becomes 2, the old 0 is the new 1. Isn't somthing broken here?
Of course, your right, this isn't the way I did it. I think I made that up on the spot from quickly glancing at grub.conf. I actually couldn't remember what I did, until I read on...
Unless you fiddle in /etc/sysconfig/kernel
...that's the place to fix it.
Steffen wouldn't be alone in overlooking that.
I didn't. I just forgot about it. In summary, it is (or can be made) safe to update kernels automatically. One can then choose when to boot them.
Cheers Steffen.
John Summerfied debian@herakles.homelinux.org writes:
If you're booting number 1 and insert a new number 0, then what happens?
The old number 1 becomes 2, the old 0 is the new 1.
Isn't somthing broken here?
On my home computer, which dual-boots Windows XP and FC4, with Windows set as the default in Grub (gaming computer), this works well across kernel updates. Windows is the last in the list and the default changes accoringly when a new kernel is added to the list.
So it isn't broken.
MVH Ingemar
Rodolfo Alcazar wrote:
[snip]
These are the actions you must take
Understand the next points as habits, not as simple actions.
Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
Mike
On Mon, Nov 28, 2005 at 02:13:39PM -0600, Mike McCarty wrote:
[snip]
These are the actions you must take
- Understand the next points as habits, not as simple actions.
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
What disaster do you anticipate? Is it worse than the one that could happen due to an unpatched vulerability disclosed 29 days earler?
On Monday 28 November 2005 14:17, Matthew Miller wrote:
- Have updated systems! update your system daily. Yum must
program your yum or apt updates to run at least daily.
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
What disaster do you anticipate? Is it worse than the one that could happen due to an unpatched vulerability disclosed 29 days earler?
There are many problems that crop up in released updates, review the archives of this list. I wouldn't run an unattended update session unless the PC is only use for trivial purposes and you can afford the down time that unattended updates will deliver sooner or later.
Regards, Mike Klinke
On Mon, Nov 28, 2005 at 02:33:03PM -0600, Mike Klinke wrote:
There are many problems that crop up in released updates, review the archives of this list. I wouldn't run an unattended update session unless the PC is only use for trivial purposes and you can afford the down time that unattended updates will deliver sooner or later.
I've seen a lot of problems with updates (which is actually why we do local QA on them before pushing them out), but few crippling ones. And even those could be easily worked-around by reinstalling the old package if needed.
On Monday 28 November 2005 14:40, Matthew Miller wrote:
I've seen a lot of problems with updates (which is actually why we do local QA on them before pushing them out), but few crippling ones. And even those could be easily worked-around by reinstalling the old package if needed.
Believe me, having to "undo" a broken update is more of pain than waiting a few days to see which natural disaster is reported on the Fedora list from the latest xorg, selinux, or kernel update. Just issue the yum update command when the weather clears and you'll catch all those configuration file changes too.
Regards, Mike Klinke
On Mon, 2005-11-28 at 14:13 -0600, Mike McCarty wrote:
Rodolfo Alcazar wrote:
- Have updated systems! update your system daily. Yum must program your
yum or apt updates to run at least daily.
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
I used to think that way. Starting daily updates, and knowing hoy to reverse an update, gave me the kickstart to try daily updating. Now thats a stable procedure here.
Whats the criteria for a monthly update? Now you are taking the risk of having (worst-case) 29-days/ 1-day(best case) security holes, why not update every 2, 6, 12 months? 29 or 1 day, say average 14, its enough time to infect your servers (do not forget this thread's subject: somebody asked how to protect himself against linux vulnerabilities).
Mike
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that!
-- Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo Netzmanager Padep, GTZ 591-70656800, -22417628, LA PAZ, BOLIVIA http://otbits.blogspot.com -- I will live forever, or die trying.
Steffen Kluge wrote:
On Mon, 2005-11-28 at 14:13 -0600, Mike McCarty wrote:
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
Why is it safer to update 10 packages once a month than 0.33 packages every day?
Cheers Steffen.
Because packages sometimes get retracted. I like to let them soak for a while before installation. And I don't install 10 a month. Usually, only two or three get updated. Also, when I update, I *look* at what is being updated, and I don't always accept everything there. The poster recommending this was saying he updates *multiple* times per day. That sounds like (presumption here) a cron job. Automated. I take *time* when I update. I don't/can't take the time really to look at what is getting changed several times a day.
Mike
On Mon, 2005-11-28 at 18:31, Mike McCarty wrote:
Why is it safer to update 10 packages once a month than 0.33 packages every day?
Because packages sometimes get retracted. I like to let them soak for a while before installation. And I don't install 10 a month. Usually, only two or three get updated. Also, when I update, I *look* at what is being updated, and I don't always accept everything there.
Can you give some examples of where you have known better by "looking" at the updates than the developers who wrote them about whether you are safer without them?
Les Mikesell wrote:
On Mon, 2005-11-28 at 18:31, Mike McCarty wrote:
Why is it safer to update 10 packages once a month than 0.33 packages every day?
Because packages sometimes get retracted. I like to let them soak for a while before installation. And I don't install 10 a month. Usually, only two or three get updated. Also, when I update, I *look* at what is being updated, and I don't always accept everything there.
Can you give some examples of where you have known better by "looking" at the updates than the developers who wrote them about whether you are safer without them?
I declined xine a couple of times at least, because it wanted to pull a bunch of stuff I didn't have installed. I have declined Thunderbird several times. I have declined Mozilla a couple of times. I have declined OpenOffice at least twice. I have declined up2date every time. I'm glad to say that it is no longer on the list of things which get updated for me. I have declined selinux a few times. I have declined ssh once, I think.
I use yum, not up2date.
Mike
On Mon, Nov 28, 2005 at 06:44:26PM -0600, Les Mikesell wrote:
Can you give some examples of where you have known better by "looking" at the updates than the developers who wrote them about whether you are safer without them?
A lot of the updates for Fedora are "hey, new version of this", not necessarily security updates.
Les Mikesell wrote:
On Mon, 2005-11-28 at 18:31, Mike McCarty wrote:
Why is it safer to update 10 packages once a month than 0.33 packages every day?
Because packages sometimes get retracted. I like to let them soak for a while before installation. And I don't install 10 a month. Usually, only two or three get updated. Also, when I update, I *look* at what is being updated, and I don't always accept everything there.
Can you give some examples of where you have known better by "looking" at the updates than the developers who wrote them about whether you are safer without them?
Oh, BTW, it has little to do with knowing better than anyone. It has to do with churn. I always make a backup before doing an update. If things don't work out, then I can revert.
Mike
Les Mikesell wrote:
On Mon, 2005-11-28 at 18:31, Mike McCarty wrote:
Why is it safer to update 10 packages once a month than 0.33 packages every day?
Because packages sometimes get retracted. I like to let them soak for a while before installation. And I don't install 10 a month. Usually, only two or three get updated. Also, when I update, I *look* at what is being updated, and I don't always accept everything there.
Can you give some examples of where you have known better by "looking" at the updates than the developers who wrote them about whether you are safer without them?
If there's a kernel update fixing a security problem only exploitable with local access, and I control the only account with local access, then I don't need it.
If there's a kernel update fixing a SATA problem, I don't need it.
If there's an Xorg update fixing an nVidia problem, I don't need it.
If there's an update affecting OOo, I probably don't need it unless someone complains.
I've just looked at the kernel changelog for kernel-2.6.10-1.760_dl3. The only change in it I need is one I made.
Examples of kernel fixes I don't want: - Enable advansys scsi module on x86. (#141004) - Reintegrate Tux. (#144812) - Reintegrate netdump/netconsole. (#144068) - Reenable CONFIG_PARIDE (#127333) - Add another Lexar card reader to the whitelist. (#143600) - Package asm-m68k for asm-ppc includes. (don't ask). (#144604) - Drop 4g/4g patch completely. - Fix bio error propagation. - Clear ebp on sysenter return. - Extra debugging info on OOM kill. - exit() race fix. - Fix refcounting order in sd/sr, fixing cable pulls on USB storage. - IGMP source filter fixes. - Fix ext2/3 leak on umount. - fix missing wakeup in ipc/sem
Most, if fact.
On Tue, 2005-11-29 at 14:13 +0800, John Summerfied wrote:
If there's a kernel update fixing a security problem only exploitable with local access, and I control the only account with local access, then I don't need it.
Are you sure? If there's a bug in httpd that allows an attacker to run code as user apache, then the kernel bug may become quite useful to get root.
Why run with a known vulnerability, just because one isn't smart enough to think of an attack vector? Defense in depth...
Cheers Steffen.
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues. I occasionally look in /var/log/yum.log to see if I need to reboot for a new kernel installation, but other than that, I've never had to do anything to my system as a result of an automatic update.
-- Chris
"`The enemy we fight has no respect for human life or human rights. They don't deserve our sympathy,' he said. `But this isn't about who they are. This is about who we are. These are the values that distinguish us from our enemies.' - Sen. John McCain, R-Arizona
Christofer C. Bell wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues. I occasionally look in /var/log/yum.log to see if I need to reboot for a new kernel installation, but other than that, I've never had to do anything to my system as a result of an automatic update.
"So far, so good" said the man, as he fell past the 20th floor.
Mike
On Tue, 2005-11-29 at 14:09, Mike McCarty wrote:
Christofer C. Bell wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues. I occasionally look in /var/log/yum.log to see if I need to reboot for a new kernel installation, but other than that, I've never had to do anything to my system as a result of an automatic update.
"So far, so good" said the man, as he fell past the 20th floor.
That's what I'd say about *not* applying updates as quickly as they are available (although I don't do it automatically either).
Christofer C. Bell wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues.
Your lack of problems means nothing, faced with the fact that many have had problems with FC3, including broken 2.6.11 kernels that would not shut down (my case) or would not boot (others) because of problems with USB.
On Wed, Nov 30, 2005 at 10:38:51AM +0800, John Summerfied wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues.
Your lack of problems means nothing, faced with the fact that many have had problems with FC3, including broken 2.6.11 kernels that would not shut down (my case) or would not boot (others) because of problems with USB.
Yeah, that sucked. But, well... so what? You could just boot into the old kernel until the fixed one came out a few days later.
Matthew Miller wrote:
On Wed, Nov 30, 2005 at 10:38:51AM +0800, John Summerfied wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues.
Your lack of problems means nothing, faced with the fact that many have had problems with FC3, including broken 2.6.11 kernels that would not shut down (my case) or would not boot (others) because of problems with USB.
Yeah, that sucked. But, well... so what? You could just boot into the old kernel until the fixed one came out a few days later.
Most of the machines I tend are a car drive away.
Fortunately, that bit my laptop.
Oh, and the first fixed one wasn't, I'm not sure about the second and about then I lost interest in new kernels for a few months.
On Wed, Nov 30, 2005 at 11:59:14PM +0800, John Summerfied wrote:
Yeah, that sucked. But, well... so what? You could just boot into the old kernel until the fixed one came out a few days later.
Most of the machines I tend are a car drive away.
Okay, so that's a special case where extra caution is warranted. It's not an argument that applies to the general case.
As an aside, for the specific case, investing in a serial console device might be a good idea, because even with the best caution, things can get screwed up.
Fortunately, that bit my laptop. Oh, and the first fixed one wasn't, I'm not sure about the second and about then I lost interest in new kernels for a few months.
Luckily the root exploit holes in those kernels weren't being widely exploited in the wild, or you might have been making that car ride. :)
Matthew Miller wrote:
Fortunately, that bit my laptop. Oh, and the first fixed one wasn't, I'm not sure about the second and about then I lost interest in new kernels for a few months.
Luckily the root exploit holes in those kernels weren't being widely exploited in the wild, or you might have been making that car ride. :)
Fedora is not for real work. Fedora is a rolling beta:-)
If it matters, get something more stable wrt changes.
Note, I do use Fedora, but not on servers and not where a breakage matters.
Wrt those serious folk on Nahant, one of them was mumbling the other day about 10,000 machines.
You do not roll out updates to 10,000 machines if there is any likelihood of something breaking. You do it carefully and infrequently.
2005/12/1, John Summerfied debian@herakles.homelinux.org:
Matthew Miller wrote:
Fortunately, that bit my laptop. Oh, and the first fixed one wasn't, I'm not sure about the second and about then I lost interest in new kernels for a few months.
Luckily the root exploit holes in those kernels weren't being widely exploited in the wild, or you might have been making that car ride. :)
Fedora is not for real work. Fedora is a rolling beta:-)
If it matters, get something more stable wrt changes.
Note, I do use Fedora, but not on servers and not where a breakage matters.
Wrt those serious folk on Nahant, one of them was mumbling the other day about 10,000 machines.
You do not roll out updates to 10,000 machines if there is any likelihood of something breaking. You do it carefully and infrequently.
--
Cheers John
-- spambait 1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
if you cant handle it on servers you certainly shouldnt use it there. it is successfully in production use though on various big projects/sites.
regards, rudolf kastl
On 11/29/05, John Summerfied debian@herakles.homelinux.org wrote:
Christofer C. Bell wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues.
Your lack of problems means nothing, faced with the fact that many have had problems with FC3, including broken 2.6.11 kernels that would not shut down (my case) or would not boot (others) because of problems with USB.
Your problems mean nothing, faced with the fact that hundreds of thousands of people have had no problems with FC3, including stable 2.6.11 kernels that shutdown when asked (my case) or boot successfully (others) due to the lack of problems with USB.
(Fixed for you).
It's ok that a few folks have issues, that's to be expected. The vast vast vast majority have no issues whatsoever doing daily automatic updates. *Your* story is anecdotal, not the norm. It's your experience that isn't relavent to most people, not mine.
*shrugs*
-- Chris
"`The enemy we fight has no respect for human life or human rights. They don't deserve our sympathy,' he said. `But this isn't about who they are. This is about who we are. These are the values that distinguish us from our enemies.' - Sen. John McCain, R-Arizona
Christofer C. Bell wrote:
On 11/29/05, John Summerfied debian@herakles.homelinux.org wrote:
Christofer C. Bell wrote:
It's ok that a few folks have issues, that's to be expected. The vast vast vast majority have no issues whatsoever doing daily automatic updates. *Your* story is anecdotal, not the norm. It's your experience that isn't relavent to most people, not mine.
*shrugs*
--
This thread is about to reach critical mass where people start calling each other Nazi.
Mike
On Fri, 2005-12-02 at 16:14 -0600, Mike McCarty wrote:
Christofer C. Bell wrote:
On 11/29/05, John Summerfied debian@herakles.homelinux.org wrote:
Christofer C. Bell wrote:
It's ok that a few folks have issues, that's to be expected. The vast vast vast majority have no issues whatsoever doing daily automatic updates. *Your* story is anecdotal, not the norm. It's your experience that isn't relavent to most people, not mine.
*shrugs*
--
This thread is about to reach critical mass where people start calling each other Nazi.
---- you are obviously referring to Godwin's law and not paying attention to the part about...
"It is considered poor form to arbitrarily raise such a comparison with the motive of ending the thread."
Craig
Craig White wrote:
On Fri, 2005-12-02 at 16:14 -0600, Mike McCarty wrote:
Christofer C. Bell wrote:
On 11/29/05, John Summerfied debian@herakles.homelinux.org wrote:
Christofer C. Bell wrote:
It's ok that a few folks have issues, that's to be expected. The vast vast vast majority have no issues whatsoever doing daily automatic updates. *Your* story is anecdotal, not the norm. It's your experience that isn't relavent to most people, not mine.
*shrugs*
--
This thread is about to reach critical mass where people start calling each other Nazi.
you are obviously referring to Godwin's law and not paying attention to
Yes.
the part about...
No.
"It is considered poor form to arbitrarily raise such a comparison with the motive of ending the thread."
Craig
I'm not trying to end the thread. I'm making an observation only. I don't like playing netcop.
Mike
On 12/2/05, Mike McCarty mike.mccarty@sbcglobal.net wrote:
Christofer C. Bell wrote:
This thread is about to reach critical mass where people start calling each other Nazi.
No, just pointing out the fallacy of false correlation:
"I ran auto-update and had a problem, therefore doing auto-update is always bad."
The conclusion doesn't follow from the observation.
Running the yum auto-updater is 100% A-OK for the vast majority of people, and it's the recommended course to take when setting up a Fedora system. Sure, a small percentage of people have had an issue with it (a small and vocal percentage here, for example). That means it's the wrong course for those that had an issue.
Yum auto-updates is exactly what most people should be doing.
-- Chris
"`The enemy we fight has no respect for human life or human rights. They don't deserve our sympathy,' he said. `But this isn't about who they are. This is about who we are. These are the values that distinguish us from our enemies.' - Sen. John McCain, R-Arizona
Christofer C. Bell wrote:
On 11/29/05, John Summerfied debian@herakles.homelinux.org wrote:
Christofer C. Bell wrote:
I've been running yum auto-update since it was introduced in Fedora Core 3 and never had any issues.
Your lack of problems means nothing, faced with the fact that many have had problems with FC3, including broken 2.6.11 kernels that would not shut down (my case) or would not boot (others) because of problems with USB.
Your problems mean nothing, faced with the fact that hundreds of thousands of people have had no problems with FC3, including stable 2.6.11 kernels that shutdown when asked (my case) or boot successfully (others) due to the lack of problems with USB.
(Fixed for you).
It's ok that a few folks have issues, that's to be expected.
Unless you _know_ beforehand that your system won't be one that gets broken, ...
I'm not often "one of the few," but I'm alert to the possibility I may be.
Steffen Kluge wrote:
On Tue, 2005-11-29 at 14:13 +0800, John Summerfied wrote:
If there's a kernel update fixing a security problem only exploitable with local access, and I control the only account with local access, then I don't need it.
Are you sure? If there's a bug in httpd that allows an attacker to run code as user apache, then the kernel bug may become quite useful to get root.
I had some difficulty accessing material outside of /var/www as user Apache, on WBEL. Try it.
Why run with a known vulnerability, just because one isn't smart enough to think of an attack vector? Defense in depth...
Because the risk of breaking things, especially with Fedora, is greater.
I have seen two successful attacks against Linux systems in the time since I deployed my first Linux server, running RHL 4.0.
Both were on account of weak passwords.
OTOH I cannot count the number of broken systems I've seen when upgrades failed, when upgrades succeeded but their content was broken, when hardware failed.
There was one near miss, where I applied an SSL upgrade a week before somone tested me for its lack.
So there you are, no penetrations at all on account of software vulnerabilities in umpteen years.
On Wed, 2005-11-30 at 10:36 +0800, John Summerfied wrote:
I had some difficulty accessing material outside of /var/www as user Apache, on WBEL.
Maybe exploiting the hypothetical kernel bug doesn't require access to anything particular in the filesystem...
Because the risk of breaking things, especially with Fedora, is greater.
This hasn't been my experience.
I have seen two successful attacks against Linux systems in the time since I deployed my first Linux server, running RHL 4.0.
I've seen many more. Linux boxes get rooted, en masse and all the time. Running software with known vulnerabilities is a major factor in this.
Both were on account of weak passwords.
This is what's left after you patch known vulnerable software. That and 0-day exploits.
OTOH I cannot count the number of broken systems I've seen when upgrades failed, when upgrades succeeded but their content was broken, when hardware failed.
Of all the servers I manage (and all of them use automatic updates) I have never had any issues due to software updates. I concede, though, that I don't use stock kernels on servers, but customised and hardened ones. Hence, there have been no automatic kernel updates.
On workstations I use manual update (as I mentioned earlier) since I wouldn't risk losing 3D screen savers due to a missing nvidia kernel module, but I check daily.
So there you are, no penetrations at all on account of software vulnerabilities in umpteen years.
This is very atypical. Are your systems networked?
Cheers Steffen.
Steffen Kluge wrote:
On Wed, 2005-11-30 at 10:36 +0800, John Summerfied wrote:
I had some difficulty accessing material outside of /var/www as user Apache, on WBEL.
Maybe exploiting the hypothetical kernel bug doesn't require access to anything particular in the filesystem...
It's pretty hard to do anything local without access to the local filesystem:-)
I've seen many more. Linux boxes get rooted, en masse and all the time. Running software with known vulnerabilities is a major factor in this.
Both were on account of weak passwords.
This is what's left after you patch known vulnerable software. That and 0-day exploits.
From my reading, the major source of penetrations, even on Windows, is weak passwords.
OTOH I cannot count the number of broken systems I've seen when upgrades failed, when upgrades succeeded but their content was broken, when hardware failed.
Of all the servers I manage (and all of them use automatic updates) I have never had any issues due to software updates. I concede, though, that I don't use stock kernels on servers, but customised and hardened ones. Hence, there have been no automatic kernel updates.
On workstations I use manual update (as I mentioned earlier) since I wouldn't risk losing 3D screen savers due to a missing nvidia kernel module, but I check daily.
So there you are, no penetrations at all on account of software vulnerabilities in umpteen years.
This is very atypical. Are your systems networked?
All are networked. One was running RHL 7.3 for some years after official support ended, until the owner made a decison about what to do about futher maintenance. That box _is_ the firewall, runs web server and mail servers accessible to the world.
It's still running RHL but it has been patched.
On Thu, 2005-12-01 at 00:06 +0800, John Summerfied wrote:
I had some difficulty accessing material outside of /var/www as user Apache, on WBEL.
Maybe exploiting the hypothetical kernel bug doesn't require access to anything particular in the filesystem...
It's pretty hard to do anything local without access to the local filesystem:-)
User apache does have access to the local filesystem, just not outside the jail. However, file access helps but isn't necessarily required to exploit bugs in the kernel. There are plenty of callable kernel routines that have nothing to do with file i/o.
Cheers Steffen.
Steffen Kluge wrote:
On Mon, 2005-11-28 at 14:13 -0600, Mike McCarty wrote:
Respectfully, this sounds like a recipe for disaster. I update my system about once a month.
Why is it safer to update 10 packages once a month than 0.33 packages every day?
If _I_ do the update, I see that it's done and I see what is done. The information is in my head and my prospects of making a connexion are good.
Also, if someone released a broken package, there's a good chance I will find out and/or it will be fixed before I install it.
The serious folk have test systems on which to test and evaluate the reliability of the fixes on their systems. It would not surprise me at all if they normally only start to update when the get their updated CDs, and that they take some weeks to go through the testing cycle.
I used to be a systems programmer (think sysadmin) reponsble for maintaining mainframe computers used for making social security payments throughout Australia, and we did not install fixes unless something was broken for us.
If we needed to reinstall (maybe to support new hardware), then we would use the latest release of our software.
--On Friday, November 25, 2005 2:48 PM +0000 Joao Paulo Pires 198mdk@oninet.pt wrote:
"Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities"
As others have pointed out, security is a process, not a state.
The approach you take with Linux is the same you use with Windows. The difference is more in how easy it is to follow best practices. The following apply to both.
Don't run services you don't recognize or understand.
Don't run programs you don't recognize or for which you don't trust the source. (This includes stuff sent by non-programmer friends who didn't compile it themselves.)
Run with the minimum privilege you can. Don't run as root (or Administrator) if you can avoid it. If you think you're doing something risky, run as a "disposable" user in a chroot environment to protect the rest of the system from any badness that may happen.
Monitor security bulletins for the software you use. That includes the Fedora-announce mailing list, but should also include announcement lists for other programs you use. Staying "updated" isn't enough. Sometimes an update won't be immediately available. You need to know when you're at risk, and what measures you can take to mitigate that risk. Ask on this list if you can't find where to subscribe for a particular package's announcement list.
Don't panic. If someone sends you an alert, research it before passing it on, to make sure it's not a hoax. Otherwise real problems will be lost in the noise.
SpamAssassin is not a tool to handle vulnerabilities. It is not even a spam elimination tool when used standalone. What it does, well, is analyze and score messages on an open ended scale from ham to spam. Other tools take that score and deal with the spam score when the email is delivered to the user.
I am also not sure whether ClamAV scans for Linux malware as well as the windows malware it nails. I suggest you have some reading to do from the documentation for some of the tools that are available for scanning mail and dispatching it.
{^_^} ----- Original Message ----- From: "Joao Paulo Pires" 198mdk@oninet.pt
"Linux may not be as vulnerable as Windows, but if you think Linux viruses don't exist, you'd better think again. Virus writers have any number of possibilities"
I have just read this sentence and I'm concerned because I have only firewall(from router a from FC4) working on FC4. Could you explain to me wich actions I should take? Note: I have Toshiba laptop, FC4, Gnome and Thunderbird. The only programs I know are Clamav and Spamassassin. Is it enough? Although I know FC4 has SELinux. Best regards, Joao.
"j" == jdow jdow@earthlink.net writes:
j> I am also not sure whether ClamAV scans for Linux malware as well j> as the windows malware it nails.
Just FYI:
sigtool -l|grep -i linux|wc -l
108
sigtool -l|grep -i linux|head
Backdoor.Linux.Suki.A Exploit.Linux.Da2.B Linux.Alaeda.A Trojan.Linux.Small.I DDoS.Linux.Fork DoS.Linux.Blitz DoS.Linux.Chass DoS.Linux.Octopus Exploit.Linux.MySQL.20b4 Exploit.Linux.Pine.v456.Sorbo
so ClamAV does find various Linux-based viruses and worms in scanned files
- J<
On Sun, 2005-11-27 at 10:55 -0600, Jason L Tibbitts III wrote:
"j" == jdow jdow@earthlink.net writes:
j> I am also not sure whether ClamAV scans for Linux malware as well j> as the windows malware it nails.
Just FYI:
sigtool -l|grep -i linux|wc -l
108
sigtool -l|grep -i linux|head
Backdoor.Linux.Suki.A Exploit.Linux.Da2.B Linux.Alaeda.A Trojan.Linux.Small.I DDoS.Linux.Fork DoS.Linux.Blitz DoS.Linux.Chass DoS.Linux.Octopus Exploit.Linux.MySQL.20b4 Exploit.Linux.Pine.v456.Sorbo
so ClamAV does find various Linux-based viruses and worms in scanned files
Nice tip. Thanks!
- J<
-- Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo Netzmanager Padep, GTZ 591-70656800, -22417628, LA PAZ, BOLIVIA http://otbits.blogspot.com -- Hackers do it with fewer instructions...
-
198mdk@oninet.pt -
Andy Green -
Christofer C. Bell -
Craig White -
Ingemar Nilsson -
Jason L Tibbitts III -
jdow -
John Summerfield -
Kenneth Porter -
Les Mikesell -
Matthew Miller -
Mike Klinke -
Mike McCarty -
Rodolfo Alcazar Portillo -
Rudolf Kastl -
Steffen Kluge